Note that spam is a more generic term that includes broadcast posting to newsgroups as
well as individuals. Here's a spam glossary and another spam glossary. The
Netizen's Guide to Spam, Abuse, and Internet Advertising
provides solid information on the topic.
Also check out
The Net Abuse FAQ
for the official definition of SPAM and lots of good information about
how to deal with it. Also see the net-abuse/spam FAQ at
www.faqs.org/
for net-abuse newsgroups, providing lots of good info and plenty of detail.
(Note that the old alt.current-events.net-abuse newsgroup has been superseded by
the news.admin.net-abuse.* hierarchy (see
newsgroup information).

Spam is, unfortunately, an abuse of the internet that you - the end user - ultimately pay for. If you think spam costs nothing, think again! In 1997, America Online estimated that between 5% and 30% of its email server resources were exclusively dedicated to handling spam. Between $2-3 of your monthly internet charges go to handling spam, according to the 1998 Washington State Commercial Electronic Messages Select Task Force report. 7% of Internet users who switch ISPs do so because of spam. This equates to a loss of more then $250,000 per month for an ISP with one million subscribers.
Also see the essays The Insidious Evil of Spam and The Spam Solutions.

Spam costs you and your Internet Service Provider (ISP). Here are the True Costs of Spam, as calculated by actual victims of spam. In a survey of ISP's by CIX (Commercial Internet eXchange Association):

Spam can cause a system outages: excess mail can clog up the mail servers, preventing non-spam e-mail
from getting through.
America Online testified to the Federal Trade Commission that one-third of their capacity was used to carry spam.
Netcom reported that their cost was one million dollars per year.
Brightline estimated a cost of $225 million, based on 5 seconds to hit the Delete key, with an average of 200 spam messages per person per year (a very low estimate). An estimated 25 million spam messages are sent each day.

"Spammers are the Internet's undead. Preying upon the innocent and naive, these bandwidth-sucking vampires hope to be network masters hiding in the shadows in cowardice and shame, only to fade to dust when burned by the light of day." - Bill McCarthy, Boardwatch, June 2000

Take the Boulder Pledge: "Under no circumstances will I ever purchase
anything offered to me as the result of an unsolicited email message. Nor
will I forward chain letters, petitions, mass mailings, or virus warnings
to large numbers of others. This is my contribution to the survival of the
online community."

Who to Complain to?

Never reply to spam, even if it is to send a "remove" request.
Most spammers ignore such responses, or worse, add you to their list of validated email addresses that they sell.
Instead, you must complain to ISPs that originate and forward the spam.
The easiest way to report spam is to use the automatic reporting features of
SpamCop, described below. Use SpamCop and help reduce the volume of spam!

If you know the spam came from an individual, you can tell the spammer that you charge for use of your facilities to transmit and store unsolicited junk email, and insist for their postal address so that you can send the bill.
You may e-mail this
standard legal response
which references
US Code Title 47, Section 227(b)(1)(C),
which can be interpreted to mean that unwanted spam is illegal. (Thanks to D. Larson; this
response has been very effective before the advent of more organized commercial spammers).
Copy the message to:

Complain directly to the postmasters of these spammers and insist that they
take disciplinary action. If their business name matches their domain name,
complain to the postmaster at the next link up.
Be sure to include the complete original spam including
all header information. Simply copy the original spam and its header
information after the legal notice. Also remove any residual CCs and BCCs
in your e-mail header - you don't want to inadvertently propagate the spam!

Next post a copy of the spam, with headers, subject line, and body intact to
the following Usenet newsgroup:

news.admin.net-abuse.sightings

First check the newsgroup to ensure no one else has posted the spam -
no need to clutter up the newsgroup with multiple postings.
Be sure you post the article as a new post, not as a "reply" to the spam
posting - this way you won't perpetuate the spam.
This newsgroup is robomoderated, and is used to identify new spam.
After spam is posted to this newsgroup, it will then be cancelled.
In your posting to signtings, add the following lines to your header:

If your email complaints to spammers' postmasters bounce back to you,
you can do a traceroute - see the combat sites.
(Windows 98 users can use c:\windows\tracert.exe).
Using traceroute, you can sort out the path taken to get from your
ISP to a spammer's ISP. To precisely pinpoint a spammer's uplink,
run traceroute from several different servers (ISPs).
For more information, see the next section on Cracking Forged Headers.

You may find it most effective to complain to the spammer's ISP. However,
if the spammer is running from a dedicated spam site
(such as Cyberpromo),
you might have better luck complaining to their upstream provider.
Don't complain further up the chain, though,
until you've exhausted the lower levels. It's considered rude, and just
might get your postmaster into legitimate trouble.

Don't mail-bomb, as periodically suggested by persons trying to get rid of junk email. A mail-bomb is where you would
bombard the sender with a return of their spam and a note insisting they
delete you from their distribution list - and then keep resending your email.

Keep in mind that
your ISP (and probably the offending party's) certainly will not approve
of either of these practices (it very well can get you cancelled).
What actually ends up happening is that your ISP (who is on your side) gets
trashed with all of the e-mail traffic, as well the ISP of the offending
party - and both ISPs are probably innocent.
In addition, chances are that the spammer forged their "path" and "from"
headers, so the mail-bomb probably won't reach them.

Also, check out the discussion on news.admin.net-abuse.email.
They discuss email spams, and practice ways of
eliminating these spammers' accounts.

If you need to use these facilities, your followup e-mail should also
mention that the spammer hacked the email headers to avoid retribution,
which indicates knowledge of guilt, which means that the postmaster will
often cancel the account immediately instead of waiting for further
violations. In addition, many postmasters will not notify you directly
of their actions, but will instead post summaries to
news.admin.net-abuse.bulletins.

If the spammer's address is an independent address like "pwrnet.com", you can
determine responsible parties by using whois - a standard UNIX utility.
Or, simply go to www.betterwhois.com for a web-based domain lookup. Also, Whois Source offers some industrial strength lookup facilities.
Whois, Finger, and additional network utilities are also available for Windows.
One good package is:

ARIN.
ARIN is one of three Regional Internet Registries (RIRs) worldwide which collectively provide IP registration services to all regions around the globe. The others are:
RIPE NCC for Europe, Middle East, parts of Africa, and
APNIC for Asia Pacific.

Once you determine the appropriate people to contact at the spammer's site,
copy each of them with your complaint (including for example, the legal statement
and billing statement noted above).
If you need additional help, contact your system administrator
about specific email abuse.

SpamCop will automatically send complaints about spam for you! All you have to do is establish a userid, then forward your spam to SpamCop. SpamCop will generate complaints to all appropriate parties, upstreams, and open email relay ISPs. Using SpamCop is probably the best thing you can do to help eliminate spam. Effective and highly recommended!

Fraud

Chain letters over the internet as well as via snail mail are illegal. For more information,
see the
US Postal Service
page on chain letters. To report fraud where money is requested, you can send e-mail to
fraud@uspis.gov.

Many junk emails are illegal get rich scams. The
National Fraud Information Center
has an email address where you can report suspected scams. They
have an Internet fraud division, and work
closely with the Federal Trade Commission and State attorney generals.
The e-mail address for general frauds is fraudinfo@psinet.com.

The Boycott Internet Spam
site provides an FAQ, lots of info on spam, filtering e-mail, blocking an ISP, etc.,
and contains some interesting links.

Adcomplain
is a unix-based system which composes and mails complaints about inappropriate
commercial postings, chain letters, and e-mail. For example, you can press a button from within your
newsreader, and adcomplain will automatically mail a complaint to the offender and their postmaster.

Screen4me is a free service that helps you eliminate junkmail, spam, and telemarketers.

Sneakemail is a free service that you can use to
generate disposable email addresses which are aliases of your real email address, which is kept hidden. You can enter these Sneakemail addresses into web forms or use them to contact e-businesses without the risk of your real address being abused or bought and sold.

Spam Inspector is a commercial product that bounces email back to spammers as if your mailbox is invalid.

Bluebottle offers a fee-based service to accept mail only from known senders.

SpamAssassin is a Unix-based filtering tool that uses
Vipul's Razor database of spam (commonly know as SpamNet).
A Spamnix is available as a commercial Eudora (Windows) plugin.

Cloudmark Spamnet also offers the same SpamNet technology with Outlook Express under Windows.

Don't support scams and spammers!

Don't send in money for a product you are not sure of, or for what might be an anti-spam scam.

TSW's $15 filter kills junk e-mail on your server.
However, if you buy their filter, you are supporting their spamming software and list extraction software.
Watch out for wolves in sheep's clothing!

What to Filter - Lists of Spammers

Most e-mail spam is generated automatically by software which eliminates the TO: header field.
You might want to filter e-mail that does not have your e-mail address in at least one of the header fields
TO:, CC:, BCC:. However, keep in mind that many legitimate listservers that you
subscribe to might also trim the TO: field.

Legislation

News

The Can-Spam act was passed in 2003. ("Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003"). Here is information and text of the act. The act covers commercial email, but does not seem to address non-profit and personal email.
Here's how to comply with the act.
The act is not perfect - from Ed Foster's gripe log:

"It's clear that only the Direct Marketing Association, Microsoft, AOL and a handful of others had any input into the law, because it's carefully crafted to allow the big marketers free reign. And the loopholes it provides them will be more than big enough to provide aid and comfort for the smallest and sleaziest of spammers as well."

"Not only does the Can-Spam Act take an opt-out approach, meaning that each spammer can e-mail you until you ask them to stop, but it allows the spammer to dictate what steps you must take to get off their list. The recipient must opt-out "in a manner specified in the message" that can include replying to an opt-out email address or "other Internet-based mechanism." The spammer can also force the recipient to opt-out via "a list or menu from which the recipient may choose the specific types of commercial electronic mail messages the recipient wants to receive or does not want to receive from the sender" just as along as opting out from all e-mail from that sender is one of the choices."

According to
PC World News Radio
on 3/30/98, EarthLink Nails Spamford for $2 Million.
Under a consent decree, Cyber Promotions agreed to pay EarthLink
$2 million, stop sending spammming EarthLink's
450,000 members. If Wallace or Cyber Promotions breaks the agreement,
Spamford Wallace will be held personally liable for $1 million.

Support CAUCE

CAUCE is an organization dedicated to expanding the US "junk fax" law to cover e-mail spamming.
Join their effort!
See their FAQ and list of recent news articles.
Key points are ONCE, which stand for:

Opt-in. No spam. People get info when they ask for it.

No censorship. The leading objection to regulation does not apply.

Cost shifting. The principal reason for opposing spam.

Enforcement. By recipients, with no intrusion by government.

Several bills have been introduced over the last several years to deal with spam,
by Chris Smith (R-NJ), Senator Murkowski (R-AK), and Senator Torricelli (D-NJ).
Truly effective legislation must have teeth in it with stiff penalties, be truly opt-in, and must be enforcable. It must be written in such a way that does not simply encourage spammers to shift operations overseas or use innovative approaches to avoid the penalties. None of the bills introduced to-date have adequately addressed these issues.

One thing that seems inevitable, though, is that federal legislation of some sort will be required.
Here's an editorial that sheds a lot of light on the subject.
Also see discussion on the merits of legislation.

Contact Your Congresspersons!

Here are e-mail addresses and information for:

The Capitol Switchboard will connect you directly to your Senator or Representative: 202.225.3121.

Find out who your Senators and Representatives are at www.congress.org - just enter your zipcode.

US White House.
Send e-mail to the President and Vice-President.
The actual e-mail addresses are: president@whitehouse.gov and vice.president@whitehouse.gov.

Please write and/or e-mail your Senators and Representatives on this issue! Insist on "opt in" legislation.
Be sure to include your full name and snail mail address on any e-mail you send, otherwise it will be discarded.

MailExpire lets you set up an auto-expiring email alias. You choose how long you want alias to last for and during that time, email is
forwarded to your standard email address.

Although they charge for the service, www.pobox.com
claims to be able to filter most spam from their e-mail accounts.
PaidMail is a service where junkemailers would have to pay you for you to receive their junkemail.

A philosophical note on exclusion lists, where you add your name to a list
of people who do not want junk mail:
it places the burden of getting off spam lists on the user, whereas
the converse should be true - you should have to explicity request that you do
want junk mail. Also keep in mind that someone who maintains an exclusion list
could sell it as a database of validated addresses (e-mail as well as postal
addresses). Sort of what can, and does, happen with
DMA.

In May of 1997, the Internet EMail Marketing
was formed. As a pro-spam organization, it offers an opt-out service. This is unacceptable,
for the following reasons:

The organization is formulated as a consortium of entities that promote spamming.
It is an organization dedicated towards promoting spam, not alleviating it.
Item (7) of their objectives states "To respond to opponents and adversaries of the
E-Mail Marketing industry". That fairly well states their purpose.

Interesting that the organization was formed just before the FTC hearings on
privacy, spam, and the Internet earlier this month. If spammers can state that they
have a voluntary control mechanism in place, then that precludes the FTC and Congress
from needing to intervene on behalf of consumers. The last thing spammers want is
effective legislation.
An analogy is the Direct Marketing Association.
It exists for the primary purpose of
preventing legislation from being enacted to restrict junk snailmail. By creating their
Mail Preference Service (where you write to supposedly get off mailing lists), the DMA
preempted Congress from enacting legislation. Yet use of Mail Preference Service
exclusion lists is completely voluntary on the part of marketers. In actuality, it
is hardly used because it costs the marketer more to merge the lists.

Similarly, the EMail Marketing Council is offering an "opt out" system, whereby
you have to say you don't want spam. This is unacceptable. An "opt in" system is
the only viable solution, meaning you have to ask for spam to receive it.

Consider that the cost to a spammer is trivial to e-mail 10,000 addresses.
Yet the cost to merge exclusion lists is significant in proportion. It is doubtful
that exclusion lists would be used by most spammers, and certainly not by small
outfits. In fact, it would be of greater value to add the exclusion list
addresses to the spam list, since those are working, validated, addresses.
What spammers are looking for is additional hits per spam broadcast. Each
incremental hit means more revenue.

The first step of a viable solution is to enact "opt in" legislation like that
proposed by Rep. Chris Smith, discussed above (with substantially higher fines).

Anti-spam listserv mailing lists

SPAM-L
See the SPAM-L FAQ, which contains good information about tracking and handling spam.
To subscribe, send mail to: listserv@peach.ease.lsoft.com
Place the following in the message body:
Subscribe spam-l your name

Spam-Ad
To subscribe, send mail to to: listserv@internet.com
Place the following in the message body:
Subscribe spam-ad your name

Spam-list
To subscribe, send mail to majordomo@mailer.psc.edu
Place the following in the body of the message:
Subscribe spam-list your email address

ISP Actions

Things your ISP can do to fight spam:

Have an Acceptable Use Practices (AUP contract). If you breach contract,
you agree to pay $50 per complaint and cleanup costs per bounce received.
Cancellation of spammers' accounts should be as fast as possible.

RBL, DUL, and RSS are databases supported by the MAPS Mail Abuse Prevention System (it's also "spam" spelled backwards). The RBL list blocks traffic to 40% of the Internet. The RBL list is a list of spammers' IP addresses.

RSS is the Relay Spam Stopper. 17% of mail servers are insecure. RSS is a verified open server list. Open servers are insecure and can be "hijacked" by spammers.

MAPS sends email to postmaster@badserver saying that mail is being blocked and how to fix the problem. MAPS checks the RSS and RBL lists.

RSS is more technical because they can test for open email relay.

DUL is the DialUp List. This is a list of IP addresses, provided by ISPs, that will never send valid e-mail. Spammers often forge email to use these IP addresses.

ORBS works like the RSS relay detector but is more agressive. ORBS lists open relay servers even if spam hasn't yet been sent through them. ISP's may consider this abuse of their network and block ORBS testing. If an ISP block ORBS, it will nevertheless be listed by ORBS as a suspected spammer.

Copyright 1995-2004 Fred Elbel. This material may be freely used and distributed only for non-commercial purposes, with credit.
Nothing in this web site should be construed as legal advice. This web site is provided for information purposes only. Opinions presented are those of the author (or of other contributors as indicated).
Trademarks and copyrighted items remain the property of the owner.